diff --git a/socat-1.7.4.4-openssl-groups.patch b/socat-1.7.4.4-openssl-groups.patch new file mode 100644 index 0000000..961ca3d --- /dev/null +++ b/socat-1.7.4.4-openssl-groups.patch @@ -0,0 +1,145 @@ +Add openssl-groups option for post-quantum key exchange + +Enable configuration of TLS key exchange groups to support post-quantum +cryptography hybrid KEMs like X25519MLKEM768. Replaces hardcoded P-256 +with modern SSL_CTX_set1_groups_list() API for OpenSSL 1.1.0+. + +Co-developed-by: Claude AI +Signed-off-by: Martin Osvald + +diff --git a/doc/socat.1 b/doc/socat.1 +index e21fe97..b406044 100644 +--- a/doc/socat.1 ++++ b/doc/socat.1 +@@ -3092,6 +3092,13 @@ to proof that it is the owner of a certificate needs the private key\&. + Specifies the file with the Diffie Hellman parameters\&. These parameters may + also be in the file given with the cert + option in which case the dhparams option is not needed\&. ++.IP "\fB\f(CWopenssl-groups=\fP\fP" ++Specifies the list of key exchange groups (curves) for the ++connection\&. The is a colon\-separated list of ++group names in preference order\&. Useful for enabling post\-quantum ++cryptography (PQC) in TLS 1\&.3, e\&.g\&., ++\(dq\&X25519MLKEM768:X25519:prime256v1\(dq\&\&. Requires OpenSSL 1\&.1\&.0 or ++higher\&. If not specified, OpenSSL uses its built\-in defaults\&. + .IP "\fB\f(CWcafile=\fP\fP" + Specifies the file with the trusted (root) authority certificates\&. The file + must be in PEM format and should contain one or more certificates\&. The party +diff --git a/doc/socat.yo b/doc/socat.yo +index 49ab0dd..b441011 100644 +--- a/doc/socat.yo ++++ b/doc/socat.yo +@@ -2832,6 +2832,12 @@ label(OPTION_OPENSSL_DHPARAMS)dit(bf(tt(dhparams=))) + Specifies the file with the Diffie Hellman parameters. These parameters may + also be in the file given with the link(cert)(OPTION_OPENSSL_CERTIFICATE) + option in which case the dhparams option is not needed. ++label(OPTION_OPENSSL_GROUPS)dit(bf(tt(openssl-groups=))) ++ Specifies the list of key exchange groups (curves) for the connection. ++ The bf(tt()) is a colon-separated list of group names in ++ preference order, e.g. tt(X25519MLKEM768:X25519:prime256v1). Useful for ++ enabling post-quantum cryptography (PQC) in TLS 1.3. Requires OpenSSL 1.1.0 ++ or higher. If not specified, OpenSSL uses its built-in defaults. + label(OPTION_OPENSSL_CAFILE)dit(bf(tt(cafile=))) + Specifies the file with the trusted (root) authority certificates. The file + must be in PEM format and should contain one or more certificates. The party +diff --git a/xio-openssl.c b/xio-openssl.c +index 7d088cf..700f2d1 100644 +--- a/xio-openssl.c ++++ b/xio-openssl.c +@@ -124,6 +124,7 @@ const struct optdesc opt_openssl_key = { "openssl-key", "key", + const struct optdesc opt_openssl_dhparam = { "openssl-dhparam", "dh", OPT_OPENSSL_DHPARAM, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; + const struct optdesc opt_openssl_cafile = { "openssl-cafile", "cafile", OPT_OPENSSL_CAFILE, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; + const struct optdesc opt_openssl_capath = { "openssl-capath", "capath", OPT_OPENSSL_CAPATH, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; ++const struct optdesc opt_openssl_groups = { "openssl-groups", NULL, OPT_OPENSSL_GROUPS, GROUP_OPENSSL, PH_SPEC, TYPE_STRING, OFUNC_SPEC }; + const struct optdesc opt_openssl_egd = { "openssl-egd", "egd", OPT_OPENSSL_EGD, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; + const struct optdesc opt_openssl_pseudo = { "openssl-pseudo", "pseudo", OPT_OPENSSL_PSEUDO, GROUP_OPENSSL, PH_SPEC, TYPE_BOOL, OFUNC_SPEC }; + #if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined(OPENSSL_NO_COMP) +@@ -1263,20 +1264,30 @@ cont_out: + ; + } + +-#if HAVE_TYPE_EC_KEY /* not on Openindiana 5.11 */ ++ /* Configure supported groups/curves for key exchange */ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L + { +- /* see http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-td42229.html */ +- int nid; +- EC_KEY *ecdh; ++ char *opt_groups = NULL; + +-#if 0 +- nid = OBJ_sn2nid(ECDHE_CURVE); +- if (nid == NID_undef) { +- Error("openssl: failed to set ECDHE parameters"); +- return -1; ++ retropt_string(opts, OPT_OPENSSL_GROUPS, &opt_groups); ++ ++ if (opt_groups != NULL) { ++ if (!SSL_CTX_set1_groups_list(ctx, opt_groups)) { ++ Warn2("SSL_CTX_set1_groups_list(ctx, \"%s\"): %s", ++ opt_groups, ERR_error_string(ERR_get_error(), NULL)); ++ Error1("Failed to set OpenSSL groups: %s", opt_groups); ++ return -1; ++ } ++ Info1("OpenSSL key exchange groups set to: %s", opt_groups); ++ } else { ++ Debug("OpenSSL groups not specified, using library defaults"); + } +-#endif +- nid = NID_X9_62_prime256v1; ++ } ++#elif HAVE_TYPE_EC_KEY ++ /* Legacy API for OpenSSL < 1.1.0: single curve only, no PQC support */ ++ { ++ int nid = NID_X9_62_prime256v1; ++ EC_KEY *ecdh; + ecdh = EC_KEY_new_by_curve_name(nid); + if (NULL == ecdh) { + Error("openssl: failed to set ECDHE parameters"); +@@ -1284,8 +1295,9 @@ cont_out: + } + + SSL_CTX_set_tmp_ecdh(ctx, ecdh); ++ EC_KEY_free(ecdh); + } +-#endif /* HAVE_TYPE_EC_KEY */ ++#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ + + #if OPENSSL_VERSION_NUMBER >= 0x00908000L + if (opt_compress) { +diff --git a/xio-openssl.h b/xio-openssl.h +index 6ec3d3a..285f621 100644 +--- a/xio-openssl.h ++++ b/xio-openssl.h +@@ -23,6 +23,7 @@ extern const struct optdesc opt_openssl_verify; + extern const struct optdesc opt_openssl_certificate; + extern const struct optdesc opt_openssl_key; + extern const struct optdesc opt_openssl_dhparam; ++extern const struct optdesc opt_openssl_groups; + extern const struct optdesc opt_openssl_cafile; + extern const struct optdesc opt_openssl_capath; + extern const struct optdesc opt_openssl_egd; +diff --git a/xioopts.c b/xioopts.c +index d0ecfae..d7be3eb 100644 +--- a/xioopts.c ++++ b/xioopts.c +@@ -1173,6 +1173,7 @@ const struct optname optionnames[] = { + IF_OPENSSL("openssl-dhparam", &opt_openssl_dhparam) + IF_OPENSSL("openssl-dhparams", &opt_openssl_dhparam) + IF_OPENSSL("openssl-egd", &opt_openssl_egd) ++ IF_OPENSSL("openssl-groups", &opt_openssl_groups) + #if WITH_FIPS + IF_OPENSSL("openssl-fips", &opt_openssl_fips) + #endif +diff --git a/xioopts.h b/xioopts.h +index 425960f..dee5342 100644 +--- a/xioopts.h ++++ b/xioopts.h +@@ -485,6 +485,7 @@ enum e_optcode { + OPT_OPENSSL_CERTIFICATE, + OPT_OPENSSL_CIPHERLIST, + OPT_OPENSSL_COMMONNAME, ++ OPT_OPENSSL_GROUPS, + #if OPENSSL_VERSION_NUMBER >= 0x00908000L + OPT_OPENSSL_COMPRESS, + #endif diff --git a/socat.spec b/socat.spec index 2fd684a..bba1700 100644 --- a/socat.spec +++ b/socat.spec @@ -3,7 +3,7 @@ Summary: Bidirectional data relay between two data channels ('netcat++') Name: socat Version: 1.7.4.4 -Release: 8%{?dist} +Release: 9%{?dist} License: GPL-2.0-only Url: http://www.dest-unreach.org/socat/ Source: http://www.dest-unreach.org/socat/download/%{name}-%{version}.tar.gz @@ -11,6 +11,8 @@ Source: http://www.dest-unreach.org/socat/download/%{name}-%{version}.tar.gz Patch1: socat-1.7.3.3-warn.patch Patch2: socat-configure-c99.patch Patch3: socat-1.7.4.4-CVE-2024-54661.patch +# https://redhat.atlassian.net/browse/RHEL-129232 +Patch4: socat-1.7.4.4-openssl-groups.patch BuildRequires: make BuildRequires: gcc @@ -75,6 +77,10 @@ export OD_C=/usr/bin/od %doc %{_mandir}/man1/* %changelog +* Mon Jun 01 2026 Martin Osvald - 1.7.4.4-9 +- Add openssl-groups option for post-quantum key exchange + Resolves: RHEL-129232 + * Tue Jan 7 2025 Joe Orton - 1.7.4.4-8 - add fix for CVE-2024-54661 Resolves: RHEL-70097